JP2003131867A - Random number generation device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a high-performance random number generation device which has a high tolerance to disturbance, can easily generate secure random numbers in terms of a cryptographic theory, and fits to be miniaturized. SOLUTION: This system is constituted with a physical random number generation device to generate physical random numbers, the random number generation device to generate pseudorandom number data, and a coupler to perform logical operation with the physical random numbers and the pseudorandom numbers and generate logical operation data. And, the system is constituted with a decision means which captures the logical operation data and decides whether or not characteristics of the random numbers for the captured logical operation data is sufficient.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a random number generator.

[0002]

2. Description of the Related Art With the development of the Internet and intranet, international transactions, transactions of different industries, electronic data exchange (ED
New markets such as I: Electronic Data Interchange) are being actively cultivated. On the other hand, due to the open nature of the Internet, it is necessary to deal with fraudulent acts (eavesdropping, tampering, spoofing, vandalism, etc.) on information passing over the network, and development of security technology is urgently needed.

Cryptography is widely used to ensure the security of networks, and for example, there is a digital signature algorithm (DSA) standardized in the United States. In such an encryption algorithm, it is necessary to generate a random number each time a signature is generated, but it is desirable that the random number to be used be an “information (cryptographic) theoretically safe random number”.

Cryptographically safe random numbers are random numbers that satisfy the condition that "other bits cannot be estimated in polynomial time from an arbitrary part of a random number sequence". However, since this condition is quite severe, the following evaluation scale may be used in practice. However, these are just necessary conditions. (1) Uniformity of 0, 1 (2) Long periodicity (3) Non-linearity (4) Large linear complexity (5) Non-correlation Non-linearity means that random numbers are linear feedback shift registers This is not the output of (linear feedback shift register) itself. The maximum period of a sequence that can be generated by an n-stage linear feedback shift register is 2 ⁿ
−1, and the sequence of this cycle 2 ⁿ −1 is M sequence (maximum
length shift resister sequence). Therefore, the M-sequence, which is often used as a pseudo-random number, does not satisfy this criterion.

The linear complexity of a random number sequence refers to the minimum equivalent number of stages of a linear feedback shift register that produces the sequence. Taking the above-mentioned M sequence with a period of 2 ⁿ −1 as an example, since this is a sequence with the maximum period generated by the n-stage linear feedback shift register, the linear complexity of the M sequence is n. If the linear complexity is small, an equivalent random number generator can be easily configured, so it is easy to guess unknown bits, and it cannot be said to be a cryptographically secure random number.

The non-correlation means, for example, that the bits of the random number are independent of the other parts, and conversely, the correlation means that the unknown bits can be easily guessed. Conventionally,
Pseudo-random numbers have been commonly used as a random number source for encryption algorithms. However, from the above viewpoint, pseudorandom numbers cannot be said to be cryptographically safe random numbers. That is, since the pseudo random number is generated from a certain arithmetic process or a combination of functions, it is possible to generate the same random number by giving the same initial condition. Therefore, the cryptography using the pseudo-random number can be guessed at the generation method, is easily broken, and is insufficient in terms of maintaining confidentiality.

On the other hand, there is a method of generating a random number (hereinafter referred to as a physical random number) that is close to a truly random random number by utilizing a natural phenomenon such as an electric noise or a decay phenomenon of a radioactive substance.
Since the intensity of a signal due to such a natural phenomenon is generally weak, it is used after being amplified by an amplifier so as to be suitable for a digital circuit. However, when an electric field or a magnetic field is remotely applied from the outside, the amplifier and the noise generator are affected by such disturbances that the occurrence probabilities of “0” and “1” change. Therefore, there is a problem in that operability from the outside occurs, and the integrity and security of random numbers deteriorate.

In addition, in such a device, a failure such as deterioration of a random number generating element such as a semiconductor element which generates a physical random number or disconnection of a related circuit occurs, and the random number generating apparatus outputs true random number data. If it is not output, there is a risk of causing a problem such as the document management device not operating properly.

[0009]

SUMMARY OF THE INVENTION The present invention has been made in view of the above points, and an object of the present invention is to easily generate random numbers that are highly resistant to disturbance and cryptographically safe. An object of the present invention is to provide a high-performance random number generation device that is capable and suitable for downsizing. Another object of the present invention is to provide a random number generation device capable of detecting and dealing with its own failure.

[0010]

A random number generator according to the present invention combines a physical random number generator for generating a physical random number, a random number generator for generating a pseudo random number, and a random number by combining the physical random number and the pseudo random number. And a coupler for switching. Further, the random number generation device according to the present invention is
A physical random number generator that generates physical random number data, a pseudo random number generator that generates pseudo random number data, a logical operation circuit that performs logical operation of the physical random number data and pseudo random number data, and generates logical operation data, And a determination unit that determines whether or not the randomness of the logic operation data that has been fetched is sufficient.

[0011]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below in detail with reference to the drawings. In the drawings used in the following description, substantially equivalent components are designated by the same reference numerals. FIG. 1 is a block diagram showing the configuration of a random number generation device 5 according to the first exemplary embodiment of the present invention. The random number generation device 5 has two random number generation units, that is, a physical random number generation unit and a pseudo random number generation unit. The physical random number generation unit has a noise generator 11 and a random pulse generation circuit 15.
As will be described later, the random pulse generation circuit 15 generates a random pulse train using the noise signal from the noise generator 11 and outputs it as a physical random number. The pseudo random number generator has a pseudo random number generator 20 that generates a pseudo random number.

In the physical random number generator, the noise generator 11 generates a random noise signal. Various noise sources can be used as long as they are random. 2 and 3 are circuit diagrams showing examples of the noise generator 11. The noise generator 11 has, for example, a circuit that generates electrical noise. As shown in FIG. 2, a zener diode 13A is used for the noise generator 11. Resistor 12 is connected to the pn junction of Zener diode 13A.
A reverse bias voltage to such an extent that breakdown occurs is applied via the. Specifically, the power supply voltage Vc was set to +12 V, and the Zener diode 13A used had a Zener voltage of 6.3 V, which was about 1/2 of the power supply voltage. As a result, a weak breakdown current flows in the opposite direction of the Zener diode 13A, the average frequency is about 60 to 70 kHz, and the peak-to-peak voltage centered on the Zener voltage is several tens to several. A random noise voltage output of about 100 μV can be obtained.

Further, as shown in FIG. 3, the noise generator 11
The junction-type FET 13B can be used for. That is, the noise current when the reverse bias voltage is applied to the semiconductor junction of the FET 13B is used as the noise generation source. As described above, it is also possible to use a noise generation source that obtains a random signal by using another natural phenomenon. In the following, a case where a Zener diode is used for the noise generator 11 will be described as an example.

Since the noise voltage obtained by the noise generator 11 is weak, it is amplified by the amplifier 31 as shown in FIG. More specifically, for example, a two-stage operational amplifier is used for the amplifier 31. This amplifier 31
The voltage gain is about 74dB and the Zener voltage is 6.3V.
It is possible to obtain an amplified output having a peak-to-peak voltage of about several V centering at.

Next, the noise signal amplified by the amplifier 31 is supplied to the bandpass filter 33 and the frequency component of a predetermined band is extracted. A high pass filter or the like may be used instead of the band pass filter. The output of the bandpass filter 33 is supplied to the comparator circuit 35, is divided into a high level and a low level with a predetermined reference voltage (Vref) as a threshold, and is binarized. That is, since the amplified noise signal is substantially symmetrical about the Zener voltage of 6.3 V, the amplified noise signal can be binarized with the Zener voltage as the reference voltage. Alternatively, the AC component of the amplified noise signal with the DC component cut using a coupling capacitor or the like may be supplied to the comparator circuit 35, and binarization may be performed using a very stable ground voltage as the reference voltage. Good. Therefore, a random rectangular wave signal (binary signal) having no periodicity in the comparator circuit 35
Is generated. The reference voltage (Vref) is
It may be determined and generated in the comparator circuit 35, or a control circuit (not shown) that determines and generates the reference voltage may be provided.

The binary signal output from the comparator circuit 35 is supplied to the sampling circuit 36. The sampling circuit 36 samples the binary signal based on the clock signal (CLK), and obtains a signal sequence including bits of “0” and “1”. Since the input rectangular wave has no periodicity and the sampling timing is independent of the frequency of the input rectangular wave, the obtained bit sequence is
It can be expected to be a true random number sequence consisting of "0" and "1" bits. The clock signal (CLK) is supplied from a clock signal generation circuit (not shown). Alternatively, the clock signal (CLK) may be supplied from outside the random number generation device 5. Sampling circuit 36
A random pulse train is generated by sampling at. The random pulse train output from the sampling circuit 36 is converted into a voltage level suitable for the digital circuit in the subsequent stage. Alternatively, a voltage level conversion circuit may be separately provided. Therefore, as described above, the random pulse generation circuit 15 generates a random pulse train from the input noise signal and supplies this to the logical operation circuit 23 as a physical random number signal.

On the other hand, the pseudo random number generator 20 generates a pseudo random number signal based on the clock signal (CLK) and supplies it to the logical operation circuit 23. The pseudo random number generator 20 generates, for example, a pseudo random number including bits of “0” and “1” such as M series (longest series) and Gold series. The logical operation circuit 23 functions as a combiner that combines a physical random number and a pseudo random number to generate a random number. More specifically, the logical operation circuit 23 performs an exclusive-OR operation of the physical random number signal from the random pulse generation circuit 15 and the pseudo random number signal from the pseudo random number generator 20.
Therefore, the logical operation circuit 23 generates a logical value sequence consisting of “0” and “1” and outputs it as a random number.

The logical operation in the logical operation circuit 23 is not limited to the exclusive OR operation. For example, logical product (AN
It may be a D) operation, a logical sum (OR) operation, or a logical operation composed of a combination thereof. Further, smoothing means may be provided to smooth the random numbers so that the occurrence probabilities of “0” and “1” in the random numbers generated by the calculation in the logical operation circuit 23 become substantially equal.

According to the present invention, it is possible to easily generate cryptographically safe random numbers that have high resistance to external disturbances such as application of an electric field or magnetic field from the outside. For example, when the pseudo-random number generator 20 is a linear 15-bit M-sequence pseudo-random number generator, the 15-bit signal has a repeating pattern of 32767, "1" is 16384, and "0" is 16.
383. That is, the ratio of "1" to "0" is 9
It is 9.994%.

When a Zener diode is used for the noise generator 11, the noise voltage is about 1 mV, so that a product obtained by amplifying this by about 1000 times with an amplifier is suitable for a digital circuit. Such an amplifier is affected by the application of an electric field or magnetic field from the outside. That is, operability from the outside occurs. However, by performing an exclusive OR operation of the two random number outputs of the physical random number and the pseudo random number by the arithmetic unit, the ratio of "1" and "0" is hidden by the pseudo random number even if the disturbance of the electric field or the magnetic field is applied. To be done.

Even if the pseudo-random number is known, 3
It is impossible to estimate which phase of 2767 it is because it is hidden by noise due to the Zener diode even if the output of this calculator is observed. Decoding is possible by stopping the Zener noise and observing the phase, but the predictability of the random number generation device 5 can be lowered as long as the Zener noise is effective.

According to the present invention, as described above, it is possible to remarkably improve the integrity and security of random numbers by combining random numbers of two different systems. Furthermore, the circuit described above can be easily integrated into an IC, and an extremely small random number generation device can be realized. For example, it can be easily incorporated into a personal computer, a portable electronic device, or the like.

Therefore, by incorporating this device into a personal computer or the like as a "random number generation engine", it is possible to provide a true random number for signature generation using a digital signature algorithm. That is, it is possible to perform stable and highly secure communication as compared with the conventionally used random number generation device. Less than,
A second embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 4 shows the configuration of a random number generator 50 according to the second embodiment of the present invention. As described above, the noise component of the current flowing through the semiconductor element can be used as a noise source. In this embodiment, however, the noise generator (circuit) 11 uses a bipolar transistor as a noise source. Specifically, as shown in FIG.
The noise signal in the collector current when a predetermined voltage is applied to each terminal of the np type bipolar transistor 13C is used. Further, among the noise signals, a noise signal in a frequency region where thermal noise (white noise) is dominant is used.

More specifically, the bipolar transistor 1
The noise signal of 3C is amplified by the amplifier circuit 115.
Next, the noise output amplified by the amplifier circuit 115 is supplied to the bandpass filter 117, and the thermal noise (white noise) component in the noise signal of the bipolar transistor 13C is extracted. That is, the pass band of the band pass filter 117 is selected so as to pass at least a part of the noise signal in the frequency region where thermal noise (white noise) is dominant.

The low-pass cutoff frequency of the bandpass filter 117 is determined in consideration of the sampling frequency. That is, it may be about twice the sampling frequency. Further, the verification content of the randomness determination, which will be described later, can be determined in further consideration. In this embodiment,
In consideration of these, the band pass filter 117 has a pass band of 10 kHz to 1 MHz. The output of the bandpass filter 117 is supplied to the comparison circuit (comparator) 121, and is divided into a high level and a low level using a predetermined reference voltage as a threshold value and binarized.

The output of the comparison circuit 121 is input to the level conversion circuit 123 and converted into the logic voltage level of the sampling circuit 125 in the subsequent stage. The output of the level conversion circuit 123 is a random rectangular wave with no periodicity. This rectangular wave is supplied to the sampling circuit 125. The sampling circuit 125 samples the input rectangular wave at a constant frequency that is somewhat lower than the frequency of the input rectangular wave (about a fraction or less), and obtains a series of "0" and "1" bits. Since the input rectangular wave has no periodicity and the sampling timing is independent of the frequency of the input rectangular wave, the obtained bit sequence has the same probability of occurrence of "0" and "1", respectively. It can be expected to be a true random number sequence.

The random number signal obtained in the sampling circuit 125 is supplied to the logical operation circuit 23. On the other hand, the pseudo random number generator 20 generates a pseudo random number signal based on the clock signal (CLK) and supplies it to the logical operation circuit 23.
The pseudo-random number generator 20 may be, for example, an M sequence (longest sequence),
A pseudo random number including bits of "0" and "1" such as Gold series is generated.

The logical operation circuit 23 functions as a combiner that combines a physical random number and a pseudo random number to generate a random number. More specifically, the logical operation circuit 23 is an exclusive-OR of the physical random number signal from the random pulse generation circuit 15 and the pseudo random number signal from the pseudo random number generator 20.
Make a calculation. Therefore, the logical operation circuit 23 generates a logical value sequence consisting of “0” and “1” and outputs it as a random number.

Next, the output terminal of the logical operation circuit 23 is connected to the gate circuit 40 and the randomness determination circuit 41.
The gate circuit 40 relays the random number output from the logical operation circuit 23 to an external output terminal (not shown) as long as it receives the gate-on command from the randomness determination circuit 41. When receiving the gate-off command from the randomness determination circuit 41, the relay of the random number output is stopped and the output of the random number data to the outside is stopped. The randomness determination circuit determines the randomness of the random number data from the logical operation circuit 23, and when it determines that the random number data has sufficient randomness, it outputs the random number data and the gate A gate-on command is supplied to the circuit 40.

The sequence of random numbers from the gate circuit 40 is an external interface (not shown), for example RS-23.
It is supplied to an external device via a 2C interface or the like. The sampling frequency needs to be set to a bit rate required by the external device. Next, the randomness determination circuit will be described with reference to the flowchart of FIG. The randomness determination circuit 41 determines whether the random number data output from the logical operation circuit 23 has sufficient randomness, and outputs a gate-on command as long as the random number data has sufficient randomness. However, when it is determined that the random number data does not have sufficient randomness, a gate-off command is issued. Randomness determination circuit 41
Performs such a function by executing a randomness determination subroutine formed by, for example, a microprocessor (not shown) and represented by the flowchart shown in FIG.

That is, this subroutine is executed by being interrupted at an appropriate timing by a main routine (not shown) which is periodically executed by the clock of the microprocessor. In this subroutine, first, random-number data m (m is a natural number) bits generated from the logical operation circuit 23 are sequentially taken in and written in a predetermined memory (step S1). Then, the appearance frequency of the written m-bit random number data is obtained. Then, whether or not the appearance frequency of the random number data is uniformly distributed in a certain range is confirmed by, for example, performing a χ ² test (step S2). If the uniformity of the appearance frequency cannot be confirmed, the gate-off output is instructed as the random number data lacking randomness (step S3). Then, a buzzer sound or the like is emitted to output an alarm (step S4).

When it is determined in step S2 that the appearance frequency of m-bit random number data is uniform, in the next step S5, random number data of the same value is periodically generated, and the fetched random number data is , As soon as it has aperiodicity, it is confirmed by, for example, a χ ² test. Then, when it is determined that the captured random number data does not satisfy the aperiodicity, steps S3 and S4 for instructing the gate-off output and the alarm output are executed. When it is determined in step S5 that the taken-in random number data satisfies the aperiodicity, the next step S6 is executed.

In this step S6, the two-dimensional appearance probability of the same m-bit random data that has been fetched is tested. Then, it is confirmed as soon as the distribution of the two-dimensional appearance probability has a non-sequential distribution. In other words, the fact that the received random number data is non-sequential means that it is difficult to predict the next random number data from one random number data.

If the non-sequentiality of the fetched random number data cannot be confirmed in step S6, step S3
And S4 are executed. On the other hand, when the non-sequentiality of the captured random number data is confirmed, step S7 is executed to supply the gate-on output to the gate circuit 40. In the randomness determination routine described above, as a requirement for randomness,
The three requirements of uniformity, non-periodicity, and non-sequentiality are tested. Uniformity is the most important, and if it has uniformity, it is judged to have randomness. In that case, it may be considered that there is no problem in practical use.

Further, in the alarm output of step S4, it is possible to display which of the requirements of uniformity, non-periodicity, and non-sequentiality is lacking for the convenience of trouble repair. What happens is that if "uniformity" is lacking, a specific signal (value) is generated due to a failure of a part of the physical random number generator, or if the random number is used as the cryptographic key of the cryptographic system, the cryptographic key statistical We can infer the situation of a cryptanalysis attack based on the prediction. In the case of lack of "non-periodicity", a specific signal (value) is periodically generated due to a failure of a component of the physical random number generator
Statistical prediction of the encryption key when periodic noise such as a clock is added to the noise, which is the source of the random number of the physical random number generator, from inside or outside the device, or when the random number is used as the encryption key of the encryption system. Or the situation of the attack based on the periodic forecast can be guessed. In the case of lack of "non-sequentiality", generation of continuous specific signals (values) due to failure of parts of the physical random number generator, or when random numbers are used for the encryption key of the cryptographic system, old ciphertext analysis is performed. , Because the situation of the cryptanalysis attack that predicts the encryption key can be guessed.

Although the logical operation circuit 23 has been described as a hardware configuration in FIGS. 1 and 4, it can be easily realized by software of a computer or firmware. By performing the above processing, it is possible to obtain a series of 0 and 1 that is closer to a true random number. The functions of the logical operation circuit 23, the gate circuit 40, and the randomness determination circuit 41 can be executed by one microcomputer.

The random number generator 50 of the present embodiment is manufactured as a so-called one-chip IC in which all the above-mentioned components are mounted on one chip. In this example,
The case where the pnp-type bipolar transistor is used as a noise generation source has been described as an example, but an npn-type bipolar transistor may be used. Also, not only the collector current,
Predetermined voltage (forward or reverse bias voltage) on each terminal
A noise signal obtained from any one of the terminals can be used when is applied. Further, not only bipolar transistors but also unipolar transistors such as field effect transistors (FETs), or noise signals generated in various semiconductor elements such as diodes can be used.

Further, the gate 40 is, for example, RS-232.
It can be configured by a so-called external interface circuit such as a C interface, in which case the gate-off command is equivalent to a so-called disable signal such as turning off the DTR (Data Terminal Ready).
As is clear from the above description, in the random number generation device according to the present invention, it is determined whether the random number data output has sufficient randomness and is constantly monitored to determine that the randomness is not satisfied. In such a case, since the output of the random number data is stopped, even if the random number generation device should fail, it is possible to prevent the document management device or the like that operates based on the random number data from performing an inappropriate operation.

Therefore, by incorporating this apparatus into a personal computer or the like as a "genuine random number generating engine", it is possible to provide "genuine random numbers (physical random numbers)" for signature generation using a digital signature algorithm. At the same time, that is, it is possible to perform communication with much higher security accuracy than in the case of using a pseudo random number that has been conventionally used.

This device is extremely suitable for use as an IC, and is not limited to a personal computer, a server, etc., but can be easily incorporated in a small computer such as a mobile terminal device, a mobile phone, a communication device, etc. have. Hereinafter, a third embodiment of the present invention will be described in detail with reference to the drawings. FIG. 7 shows the configuration of the random number generation device 50 according to the third embodiment of the present invention.

In the present embodiment, the noise generator 11 uses a bipolar transistor as a noise source. Further, in the random number generation device 50 of the present embodiment, the random number sequence “0” obtained in the random pulse generation circuit 15 is used.
And the smoothing circuit 45 that performs smoothing so that the occurrence probabilities of "1" are equal to each other.
It is provided in the latter part of 5.

For smoothing, when the imbalanced sequence of 0 and 1 is x ₁ , x ₂ , x ₃ , ... And the obtained random number is y,

[0044]

[Equation 1]

Can be performed using here,

[0046]

[Outer 1]

Is an operation representing a sum modulo 2 (exclusive OR). It is shown that the resulting sequence of y has improved balance. That is, x ₁ , x ₂ , x
_In the sequence of ₃ , ..., The occurrence probability of 0 is p, the occurrence probability of 1 is q
= 1-p, the occurrence probability of 0 for P is P, and the occurrence probability of 1 is Q = 1-P, the imbalance of y is given by P-Q = (p-q) ⁿ . Here, n is a block size in smoothing. The larger the value of n, the smaller the imbalance becomes exponentially. The ratio of the occurrence probabilities of “0” and “1” may be set within a predetermined range according to the required degree of randomness.

The physical random number signal from the smoothing circuit 45 is supplied to the logical operation circuit 23. The logical operation circuit 23 performs a logical operation on the physical random number signal from the smoothing circuit 45 and the pseudo random number signal from the pseudo random number generator 20 to generate a random number. 0 obtained in the logical operation circuit 23,
The sequence of true random numbers consisting of 1 is supplied to the gate circuit 40 and the randomness determination circuit 41. As long as the gate circuit 40 receives the gate-on command from the randomness determination circuit 41,
The random number output from the logical operation circuit 23 is relayed to an external output terminal (not shown). When receiving the gate-off command from the randomness determination circuit 41, the relay of the random number output is stopped,
Stop output of random number data to the outside. The randomness determination circuit determines the randomness of the random number data from the logical operation circuit 23, and when it determines that the random number data has sufficient randomness, it outputs the random number data and the gate A gate-on command is supplied to the circuit 40.

The randomness determination circuit 41 is a logical operation circuit 23.
It is determined whether the random number data output from the device has sufficient randomness, and if the random number data has sufficient randomness, the gate-on command is output to check that the random number data has sufficient randomness. When it is determined that it is not equipped, a gate-off command is issued. Randomness determination circuit 4
1 is formed by, for example, a microprocessor (not shown), and achieves such a function by executing the randomness determination subroutine represented by the flowchart (FIG. 3) as shown in the second embodiment.

In the randomness determination routine, it is not always necessary to test the three requirements of uniformity, non-periodicity, and non-sequentiality as requirements for randomness. For example, randomness may be determined by testing only uniformity. Further, there may be a case where the generated random numbers have correlation due to some periodic phenomenon such as periodic disturbance. For example, the noise generator can be configured to eliminate the periodicity in the noise signal generated and skip the aperiodicity requirement test. Such correlation can be prevented by using, for example, band-limited white noise as a noise source. Therefore, in the present embodiment, the pass band of the band pass filter 33 is set to 15 kHz.
The periodicity is removed by setting the frequency to several hundreds of kHz and limiting the low frequency band. In this case, the low-pass cutoff frequency of the bandpass filter 33 may be appropriately determined according to the period of possible periodic correlation. Also,
The high cutoff frequency is the number of bits of the random number to be generated,
It may be appropriately determined according to the bit rate and the like.

As described above, by reducing the number of test items, simple and high-speed randomness determination can be performed. Although the case where the smoothing circuit 45 is provided in the subsequent stage of the sampling circuit 36 is shown, the smoothing circuit 45 is provided in the subsequent stage of the logical operation circuit 23 to smooth the data after logical operation (logical operation data). May be performed.

[0052]

As described above in detail, according to the present invention, it is possible to easily generate random numbers that are cryptographically safe and highly resistant to disturbances, and have high performance suitable for miniaturization. A random number generation device can be realized. In addition, by incorporating this device into a computer or an electronic device such as a communication device as a "genuine random number generation engine", "genuine random number (physical random number)" can be provided, and
It is possible to perform communication with extremely high security accuracy.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a random number generation device that is an embodiment of the present invention.

FIG. 2 is a circuit diagram showing an example of a noise generator that generates electrical noise.

FIG. 3 is a circuit diagram showing another example of a noise generator that generates electrical noise.

FIG. 4 is a block diagram showing a configuration of a random number generation device that is a second exemplary embodiment of the present invention.

FIG. 5 is a circuit diagram showing an example of a noise generator using a bipolar transistor as a noise source.

6 is a flowchart showing an example of a randomness test operation of the random number generation device shown in FIG.

FIG. 7 is a block diagram showing a configuration of a random number generation device that is a third exemplary embodiment of the present invention.

[Explanation of symbols for main parts]

11,105 noise generator 13A Zener diode 13B FET 13C bipolar transistor 15 Random pulse generation circuit 20 Pseudo random number generator 23 Logical operation circuit 31,115 Amplifier 33,117 bandpass filter 35,121 Comparator circuit 36,125 sampling circuit 40 gate circuit 41 Randomness determination circuit 45 Smoothing circuit

Claims (25)

[Claims] 1. A physical random number generator for generating a physical random number, a random number generator for generating a pseudo random number, and a combiner for generating a random number by combining the physical random number and the pseudo random number. Random number generator. 2. The random number generation device according to claim 1, wherein the combiner includes a logical operation circuit that performs a logical operation of the physical random number and the pseudo random number. 3. The random number generation device according to claim 2, wherein the logical operation includes an exclusive OR operation. 4. The random number generation device according to claim 1, wherein the physical random number generator includes a noise signal generator that generates an electrical noise signal, and an amplifier that amplifies the electrical noise signal. 5. The random number generation device according to claim 4, wherein the physical random number generator includes a filter that allows a predetermined high frequency band component of the electrical noise signal to pass therethrough. 6. The random number generator according to claim 1, wherein the pseudo random number generator generates an M-sequence random number. 7. The smoothing means for smoothing the random numbers according to the occurrence probabilities of “0” and “1” in the random numbers generated by the combiner.
The described random number generator. 8. The smoothing means for smoothing a random number according to the occurrence probabilities of “0” and “1” in the random number generated by the physical random number generator. Random number generator. 9. The physical random number generator comprises a semiconductor element including a junction, a reverse bias applying means for applying a reverse bias voltage to the junction such that a breakdown current is generated, and a noise signal generated in a current path including the junction. 9. The random number generation device according to claim 1, further comprising: an amplifier for amplifying the random number. 10. The physical random number generator includes a semiconductor element including a junction, voltage applying means for applying a bias voltage to the junction, and an amplifier for amplifying a noise signal generated in a current path including the junction. 9. The random number generation device according to claim 1, wherein the random number generation device is a random number generation device. 11. The random number generation device according to claim 10, wherein the semiconductor element is a bipolar transistor. 12. The random number generation device according to claim 10, further comprising a bandpass filter that allows a white noise component of the noise signal to pass therethrough. 13. A physical random number generator for generating physical random number data, a pseudo random number generator for generating pseudo random number data, and a logical operation of the physical random number data and the pseudo random number data to generate logical operation data. A random number generation device comprising: a logical operation circuit; and a determination unit that receives the logical operation data and determines whether or not the randomness of the acquired logical operation data is sufficient. 14. A prohibition means for prohibiting output of the logical operation data to the next stage when it is determined that the randomness of the logical operation data is insufficient. Random number generator. 15. The determination means determines the randomness of the logical operation data based on the appearance probability of the same data value in the logical operation data.
3. The random number generation device described in 3. 16. The method according to claim 13, wherein the determining means tests the appearance probability of the same data value in the logical operation data in the order of uniformity, non-periodicity, and non-sequentiality. Random number generator. 17. The physical random number generator includes a semiconductor element including a junction, voltage applying means for applying a bias voltage to the junction, and a digital signal obtained by sampling a noise signal generated in a current path including the junction. 14. The random number generation device according to claim 13, further comprising: a digitizing circuit that outputs as a random number. 18. An amplifier circuit for obtaining an amplified signal of the noise signal, a comparator circuit for comparing the amplified signal with a predetermined reference voltage to obtain a binarized signal, sampling the binarized signal, "0" and "1"
18. A random number generation device according to claim 17, further comprising a sampling circuit that obtains a sampling value sequence consisting of. 19. The random number generation device according to claim 17, further comprising a bandpass filter that allows a white noise component of the noise signal to pass therethrough. 20. The random number generation device according to claim 17, wherein the semiconductor element is a bipolar transistor. 21. The random number generation device according to claim 18, further comprising control means for controlling the reference voltage in accordance with the respective occurrence probabilities of "0" and "1" in the sampling value series. 22. The random number generation device according to claim 18, further comprising means for smoothing the sampling value series according to the occurrence probabilities of “0” and “1” in the sampling value series. 23. The random number generation device according to claim 13, wherein the determination means tests the uniformity of the logical operation data. 24. The random number generation device according to claim 23, further comprising band limiting means for allowing a predetermined frequency band component of the noise signal to pass therethrough. 25. The random number generator according to claim 24, wherein the low cutoff frequency of the band limiting means is determined according to the frequency of the disturbance signal in the noise signal.